Friday 9 November 2012

The Death of PCI: Two-Factor Online Payments

Back in September 2007, I attended the inaugural Payment Cards Industry Security Standards Council (PCI SSC) Community Meeting in Toronto.  These were the days before PCI was big business, there must of been only a couple of hundred people at the event in a typical down town Hotel in Toronto.  PCI was still finding its feet, the PCI SSC Board members spent most of the event being grilled by delegates brimming with questions about the PCI standard, and it is fair to say some delegates weren't happy chappies at all. I took the opportunity of asking SSC Board members several questions myself, looking back today some of my questions could be seen as rather naive, given who is behind setting up the PCI SSC and why. 

I asked why PCI SSC doesn't just regulate the card issuers, challenge them with a standard to secure the cards and cardholder data to a higher degree, instead of passing the buck onto to everyone else in the industry. I explained how in Europe we had just started using a new two-factor authentication system, Chip and Pin, which was already dramatically cutting face-to-face card fraud (known as cardholder-present transactions). I argued they just needed to replicate the two-factor authentication for when we couldn't prove a person (cardholder) was in possession of a payment card, specifically with telephone, online and perhaps mail order payments (known as cardholder-not-present or MOTO payments).  My point was the industry should be focusing on updating the plastic card technology itself, which had been standing still for decades with its 1970s magnetic strip holding sensitive card data on the back, wasn't it time to evolve the technology and make the cardholder data itself worthless, in order to combat card fraud more effectively? 
Magnetic Strip
Of course these questions and points all fell onto deaf ears, as the PCI SSC is about regulating cardholder data beyond the card issuers, passing the failing and fraud cost of weakly secured plastic cards onto the Payment Processors and Retailers, that need to process them for payments.  The one big downside to PCI DSS, is companies are paying to protect someone else's data, as cardholder belongs to the card brands (i.e. Visa, MasterCard, Amex), and not to the cardholders. My gripe is companies invest more in protecting someone else's data better than they do their own confidential information, and more importantly more than other people's personal sensitive data. This often leads to their information security budgets being plundered by PCI programmes in order to protect card brand's data at the expensive of protecting citizen's personal data.

Five years on from that Toronto meeting, it is clear for many years now, that Chip & Pin (EMV) works in cutting cardholder present fraud, every Information Security professional knows the benefits in using a two-factor authentication system. Only now has North America finally started to push Chip & Pin for cardholder present transactions following the European success, could the penny have finally dropped? Are card brands and card issuers now seriously thinking about using two-factor authentication to protect online transactions from fraud as well?

To secure online transactions in the same way as Chip & Pin, you need to ensure the cardholder is in possession of their card. This can be accomplished by using a unique number generator onto a thin LCD screen on the card itself, this card number. This one time number can be generated using a timed encryption sequence  which creates a unique number valid only for a limited time. This number can be keyed in or spoken by the cardholder, and so used to corroborate the payment card itself is in possession of a cardholder. Further the security could be seriously ramped up by first requiring the cardholder to type in their PIN on the card itself before generating the number. This gives a two-factor authentication for online and telephone payments (MOTO), both proof of possession of the card (something you have), and the cardholder must know their PIN number (something you know), well recently both Visa Europe and MasterCard have announced new cards that do just that.

MasterCard's Two-Factor Payment Card

Visa's Two-Factor Payment Card

Why we want one of those
Most card consumers don't want gimmicky pictures of themselves on their payment cards, we want two-authentication for all our card payments, not just at the checkout. Why? because consumers actually do care about having their accounts hit by fraudulent transactions, and do want to be decently protected, as when all is said and done, all consumers foot both the card fraud bill and the retailers PCI bill. These new generation of cards present dealing with the root cause of the card fraud problem, the weakly secured plastic itself, and has to be the best way forward.

Death of PCI
For retailers, if all cards switched to two-factor authentication completely, it could finally mean they don't need to protect cardholder data, certainly not to the same degree at present, which really could spell the death of PCI. We'll have to wait and see before this 'not new' technology takes off in the industry, but I don't think PCI DSS will be around a decade from now.


Matt Presson said...

Great article, but I think this does not completely solve all the issues that exist. For instance, what about recurring payments or Amazon-style systems where the card number is provided a single time and payments are made ad-hoc?

Anonymous said...

I was the designer of the CAP 2FA solution for EMV cards at a large UK bank. The CAP 2FA solution actually allows 3 different functions:

+ a one time passcode
+ a challenge/response (which is basically a signed transaction)
+ a more sophisticated challenge response that allows 2 bits of data to be entered by the user - a number and a value (useful for signing transactions)

In all cases, the response code contains other information to help the bank understand the state of the card.

In the UK, CAP 2FA is now everywhere but requires a standard sleeve reader (that is interchangeable between EMV cards issued by different banks)

The nice feature about CAP 2FA is that there are clear and open protocols between the functionality offered by the chip on the card and how thesleeve reader responds to that interface. I do hope that the designers of the integrated device have kept these boundaries otherwise they will be hacked at some stage.

Jeff Hall said...

I think the mobile payment capability on phones is what we'll see take over using single use 16 digit codes similar in concept to the codes generated by RSA SecurID and similar two-factor security technologies. The code will be generated as a 1D or 2D bar code on the phone screen so that existing merchant technology will work with it. This same solution can be used with a EMV style card for people that do not have or want a smartphone.

sarah lee said...

I congratulate on your extraordinary article.Thanks a lot.
Business security systems

sarah lee said...

I congratulate on your brilliant article and information.
Business security systems